1. Technical Field
The present invention relates in general to computer network security, and in particular to a method and system for a network server to authenticate a requesting client. Still more particularly, the present invention relates to a method and system for a server to authenticate a client when a server is unknown at the time a client initiates a request to a server.
2. Description of the Related Art
A client-server network or system typically allows for the sharing among locations or facilities, information processing functions by a collection of computers and other devices linked together by a communications facility such as a network. Quite often, such distributed computing requires a highly structured environment which allows hardware and software to communicate, share resources, and freely exchange information.
Many large computing systems include resources such as one or more central processing units, main memories, disk and/or tape storage units, and printers. Such a system may also include user terminals or client terminals, such as workstations. In many implementations, each user or client terminal may have its own local resources, such as one or more central processing units, associated main memory, a printer, and disk or tape storage.
Alternately, a client or user terminal may request such resources from one or more servers or other workstations via a communications facility. In the present application, it is understood that a workstation includes other user terminals that are not necessarily sold as workstations, such as personal computers.
Different approaches have been utilized to maintain the security of system resources from unauthorized access. One such approach is the utilization of security tokens or authentication tickets carried from the client to a server. Such a security token or authentication ticket is typically utilized to prove the identity of the client to the server and further establish a way of securing subsequent communications between the two entities. Hence, a security token establishes a secure association between the client and the server.
Due to the cost of computing a security token, a security token is only communicated to the server on the first request. This occurs because a computation that takes place over a client server network must secure a security token from a security server. Processing a security token is a complex computation.
Subsequent to initial processing of security protocol, the client and the server need to find a reliable way to securely communicate with each other under the established security association. Typically, an initial security token is transmitted upon the first request, and each subsequent request by the client to the server does not require an arduous ritual. major problem of security protocol which must be provided is that some requests are forwarded by a first server, which initially accepts the client""s request to a second server which is capable of processing the request.
The server that actually services the client""s request often cannot be identified by the client at the time the client""s request is issued. Frequently, different servers require different protocols to authenticate clients. Therefore, the protocol structure and/or the type of authentication data required to allow client access to an unknown server is unascertainable upon the transmission of a client""s request.
Alternately described, a client has no way to know what authentication data must be sent to a server and what form to put the data in because the server which will process the request is unknown at the time the request is transmitted by the client.
It would therefore be desirable to provide a client-server security system which allows a client to be authenticated by a server which is unknown at the time of a client""s request.
It is therefore one object of the present invention to provide computer network security.
It is another object of the present invention to provide a method and system for a network server to authenticate a client.
It is yet another object of the present invention to provide a method and system for a server to authenticate a client when a server is unknown to the client at the time the client initiates a request for access to the server.
The foregoing objects are achieved as is now described. A method for providing network security is disclosed wherein a network is comprised of at least one client and at least one server. The server identity may be unknown at the time of a client""s request. The method begins when a client transmits an information processing request and a negotiator object reference to a server. The server receives the information processing request and the negotiator object reference. If the server can process the request it becomes the accepting server. If the server cannot process the request the server retransmits the request. This process continues until an accepting server is located. Next, the accepting server initiates a server request for the client to process an authentication object in response to the received negotiator object reference. The accepting server determines whether the client has the authentication object and if the client does not have the authentication object the accepting server sends the authentication object to the client. Then the client processes a method on the authentication object. The accepting server verifies client authentication in response to the authentication object processed by the accepting server. Next, the accepting server services the information processing request if the client is verified such that a server which is unknown to a client at the time of a client request can verify a requesting clients authenticity.
The above as well as additional objects, features, and advantages of the present invention will become apparent in the following detailed written description.